Upload
vankhue
View
229
Download
1
Embed Size (px)
Citation preview
Solaris Security Today and Tomorrow Technical Deep Dive Updated for Solaris 10 05/09, Solaris Next, and Solaris Furure
Dr. Christoph [email protected]
Copyright © 2009 Sun Microsystems, Inc. 2
Agenda
•Solaris Security - Goals
•Solaris 9 - Security Review>an overview of features from past releases.
•Solaris 10 - Security Deep Dive>a dive into new features including: Secure by Default, SMF, Privileges, ZFS, Zones, Trusted Extensions, and more!
•Solaris Next - Security Deep Dive
•Solaris Future - Project Outlines
Copyright © 2009 Sun Microsystems, Inc. 3
#include <std/disclaimer.h>
•This presentation includes content and examples inclusive of Solaris 10 05/09
•While a lot of security controls and functionalityis discussed, there is still much more that isnot covered in the interest of brevity.
•Functionality introduced prior to Solaris 10 isdiscussed only in passing or as part of adiscussion where that functionality is updated.
Copyright © 2009 Sun Microsystems, Inc. 4
Solaris Security Goals
•Defending>Provide strong assurance of system integrity.
>Defend system from unauthorized access.
•Enabling>Secure authentication of all active subjects.
>Protect communications between endpoints.
•Deploying>Emphasize an integratable stack architecture.
>Interoperate with other security architectures.
>Ease management and use of security features.
>Receive independent assessment of security.
Copyright © 2009 Sun Microsystems, Inc. 5
Solaris 9 Security Review
!Access Control Lists
!Role-based Access Control
!IPsec / IKE
!Solaris Auditing
!TCP Wrappers (inetd, rpcbind)
!Flexible Crypt
!Signed Patches
!Granular Packaging
!SSL-enabled LDAP
!WAN Boot
!IKE Hardware Accel.
!Solaris Fingerprint DB
!Solaris Secure Shell
!Kerberos
!/dev/[u]random
!Enhanced PAM Framework
!Smartcard Framework
!Java Security
!SunScreen 3.2
!Solaris Security Toolkit
!sadmind DES Auth
!LDAP Password Management
Copyright © 2009 Sun Microsystems, Inc. 6
Solaris 10Technical Security
Deep Dive
Copyright © 2009 Sun Microsystems, Inc. 7
Reduced Networking Metacluster
Size (MB) # Set-UID # Set-GID
363 154 31 12
396 213 38 13
2500 785 68 20
3200 1034 69 20
3300 1091 83 21
3300 1902 83 21
Metacluster # Pkgs
Reduced Networking SUNWCrnet
Core SUNWCreq
End User SUNWCuser
Developer SUNWCprog
Entire SUNWCall
Entire + OEM SUNWCXall
Copyright © 2009 Sun Microsystems, Inc. 8
Reduced and Minimal Configurations
•Some environments remove or simply do not install software packages that are not needed (business or technical reasons)>Less software to install, upgrade, patch, and maintain.
>Less software equates to reduced exposure to security vulnerabilities.
•Refer to Sun's Rules of Engagement for the Support of Reduced or Minimal Configurations>http://www.opensolaris.org/os/community/security/files/minimization-support-rules-ext.pdf
•Solaris Package Companion can be used to understand software package relationships and dependencies>http://www.opensolaris.org/os/project/svr4_packaging/package_companion/
Copyright © 2009 Sun Microsystems, Inc. 9
Solaris Package Companion Examples
•EXAMPLE 1: What packages depend on StarOffice?
$ spc-v0.9.ksh -r ./s10u7.rep -l -F -f /opt/staroffice8/program/sofficeSUNWCstaroffice
$ spc-v0.9.ksh -r ./s10u7.rep -F -Z -v SUNWCstaroffice[C] SUNWCstaroffice StarOffice 8.0
•EXAMPLE 2: On what does SSH depend?
•$ spc-v0.9.ksh -r ./s10u7.rep -D -F -v SUNWCssh[C] SUNWCcs Core Solaris[C] SUNWCfwcmp Freeware Compression Utilities[C] SUNWCopenssl OpenSSL[C] SUNWCssh Secure Shell[P] SUNWcakr Core Solaris Kernel Architecture (Root)[P] SUNWcar Core Architecture, (Root)[P] SUNWgss GSSAPI V2[P] SUNWgssc GSSAPI CONFIG V2[P] SUNWkvm Core Architecture, (Kvm)
For more details and information, see the Solaris Package Companion OpenSolaris Project site at: http://opensolaris.org/os/project/svr4_packaging/package_companion/
Copyright © 2009 Sun Microsystems, Inc. 10
Cryptographically Signed ELF Objects
•ELF Objects Cryptographically Signed>binaries, libraries, kernel modules, crypto modules, etc.
# file /usr/lib/ssh/sshd/usr/lib/ssh/sshd: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped
# elfsign verify -e /usr/lib/ssh/sshdelfsign: verification of /usr/lib/ssh/sshd passed.
# elfsign list -f signer -e /usr/bin/lsCN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc
•Cryptographic modules must be signed with a certificate issued by Sun.>Signature and certificate must be validated before module can be loaded.
>Crypto. modules will not load if not signed or have invalid signature.
Copyright © 2009 Sun Microsystems, Inc. 11
Non-Executable Stack Example
#include <stdio.h>#include <string.h>
typedef void (*fptr)(void);
#ifdef __sparcchar shellcode[] ="\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e""\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0""\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";#endif
intmain(int argc, char **argv){ fptr f; char code[100];
memcpy(code, shellcode, sizeof(shellcode)); printf("Attempting to start a shell...\n"); f = (fptr)code; f(); return (0);}
Copyright © 2009 Sun Microsystems, Inc. 12
Non-Executable Stack #1
$ cc -o myshell shell.c$ cc -o myshell-nx -M /usr/lib/ld/map.noexst shell.c
$ ./myshellAttempting to start a shell...$ exit
$ ./myshell-nxAttempting to start a shell...Segmentation Fault(coredump)
Sep 16 15:06:06 kilroy genunix: [ID 533030 kern.notice]NOTICE: shell-noexstk[23132] attempt to execute code onstack by uid 101
Stacks can be globally configured to be non-executableusing the noexec_user_stack tunable in /etc/system.
Copyright © 2009 Sun Microsystems, Inc. 13
Non-Executable Stack #2
$ telnet victimhost myshellTrying 10.8.22.39...Connected to victimhost.Escape character is '^]'.finger;Login Name TTY Idle When Wheregbrunett Glenn Brunette pts/5 Wed 13:48 void\377\277\375\364: ^M: not found[...]Connection to victimhost closed.
$ telnet victimhost myshell-nxTrying 10.8.22.39...Connected to victimhost.Escape character is '^]'.Connection to victimhost closed by foreign host.
For more information on Solaris non-executable stack functionality, see: http://blogs.sun.com/gbrunett/tags/noexstk
Copyright © 2009 Sun Microsystems, Inc. 14
Service Management Facility
•Provide a uniform mechanism to disable/manage services.E.g., svcadm [disable|enable] telnet
•Support alternative service profiles
E.g., “Secure by Default” profile (since Solaris 10 11/06)
•Leverage authorizations to manage/configure services.
•Define context to permit services to be started as a specific user and group and with specific privileges.
•Support automatic service dependency resolution.E.g., svcadm enable -r nfs/client
•Facilitate delegated service restarts.
Copyright © 2009 Sun Microsystems, Inc. 15
SMF Example #1
$ profilesService OperatorBasic Solaris UserAll
$ svcs network/inetdSTATE STIME FMRIonline 1:28:15 svc:/network/inetd:default
$ svcadm disable network/inetd
$ svcs -x -v network/inetdsvc:/network/inetd:default (inetd) State: disabled since Thu Jul 13 17:05:36 2008Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: man -M /usr/share/man -s 1M inetd See: /var/svc/log/network-inetd:default.logImpact: 5 dependent services are not running:
Copyright © 2009 Sun Microsystems, Inc. 16
SMF Example #2
# svcprop -v -p defaults inetddefaults/bind_addr astring ""defaults/bind_fail_interval integer -1defaults/bind_fail_max integer -1defaults/con_rate_offline integer -1[...]defaults/stability astring Evolvingdefaults/tcp_trace boolean falsedefaults/tcp_wrappers boolean false
# svcprop -p config/local_only rpc/bindfalse
# svcs -x sendmailsvc:/network/smtp:sendmail (sendmail SMTP mail transfer agent) State: maintenance since Wed Dec 01 01:31:35 2007Reason: Start method failed repeatedly, last exited withstatus 208. See: http://sun.com/msg/SMF-8000-KS See: sendmail(1M)Impact: 0 services are not running.
Copyright © 2009 Sun Microsystems, Inc. 17
SMF Access Control
•Integrated with Solaris Roles (Rights Profiles)>Service Management
>Service Operator
•Integrated with Solaris Authorizations>Global: solaris.smf.modify
>Global: solaris.smf.manage
>Global: solaris.smf.value
>Per Service: action_authorization
•Services may have property-group specific authorizations>value_authorization – change existing property values
>modify_authorization – add, modify, or delete properties
Copyright © 2009 Sun Microsystems, Inc. 18
SMF Example #3
# svcprop -p httpd -p general apache2general/enabled boolean falsegeneral/action_authorization astring sunw.apache.opergeneral/entity_stability astring Evolvinghttpd/ssl boolean falsehttpd/stability astring Evolvinghttpd/value_authorization astring sunw.apache.admin
Example taken from the Sun BluePrint: Restricting Service Administration in the Solaris 10 Operating System, http://www.sun.com/blueprints/0605/819-2887.pdf
Copyright © 2009 Sun Microsystems, Inc. 19
SMF Execution Context
•exec methods can be forced to run as a given user:>{start, stop, etc.}/user
•exec methods can be forced to run as a given group:>{start, stop, etc.}/group
•exec methods can be forced to use specific privileges:>{start, stop, etc.}/privileges>{start, stop, etc.}/limit_privileges
•Other exec context can also be defined:>default project and resource pool, supplemental groups, etc.
Copyright © 2009 Sun Microsystems, Inc. 20
SMF Example #4
# svcprop -v -p start apache2start/exec astring /lib/svc/method/http-apache2\ startstart/timeout_seconds count 60start/type astring methodstart/user astring webservdstart/group astring webservdstart/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddrstart/limit_privileges astring :defaultstart/use_profile boolean falsestart/supp_groups astring :defaultstart/working_directory astring :defaultstart/project astring :defaultstart/resource_pool astring :default
Example taken from the Sun BluePrint: Limiting Service Privileges in the Solaris 10 Operating System, http://www.sun.com/blueprints/0505/819-2680.pdf
Copyright © 2009 Sun Microsystems, Inc. 21
SMF Example #5
Copyright © 2009 Sun Microsystems, Inc. 22
SMF Example #6
Copyright © 2009 Sun Microsystems, Inc. 23
•Only Secure Shell is reachable by default.>root use of Secure Shell is not permitted by default.
•Existing services are configured in SMF to either be:>Disabled by default
>Listening for local (e.g., loopback) connections only
•Configuration can be selected using CLI or JumpStart:>netservices: open (traditional) or limited (SBD)
>service_profile: open or limited_net
•Default installation method in Nevada/OpenSolaris:>Solaris upgrades are not changed or impacted.
>Solaris 10 initial (fresh) installations can select SBD mode.
Solaris Secure By Default
Copyright © 2009 Sun Microsystems, Inc. 24
# netservicesnetservices: usage: netservices [ open | limited ]
# netservices limitedrestarting syslogdrestarting sendmaildtlogin needs to be restarted. Restart now? [Y] yrestarting dtlogin
# netstat -af inet -P tcp | grep LISTEN[...]*.sunrpc *.* 0 0 49152 0 LISTEN*.ssh *.* 0 0 49152 0 LISTENlocalhost.smtp *.* 0 0 49152 0 LISTENlocalhost.submission *.* 0 0 49152 0 LISTEN
Solaris Secure By Default Example #1
Copyright © 2009 Sun Microsystems, Inc. 25
Solaris Secure By Default Example #2
Service FMRI Property Values
X11
CDE
calendar
BSD printing
rpcbind svc:/network/rpc/bind config/local_only true, false
syslog svc:/system/system-log config/log_from_remote true, false
sendmail svc:/network/smtp:sendmail config/local_only true, false
smcwebserver svc:/system/webconsole:console options/tcp_listen true, false
wbem svc:/application/management/wbem options/tcp_listen true, false
svc:/application/x11/x11-server options/tcp_listen true, false
svc:/application/graphical-login/cde-login dtlogin/args [null], -udpPort 0
ToolTalk svc:/network/rpc/cde-ttdbserver:tcp proto tcp, ticotsord
svc:/network/rpc/cde-calendar-manager proto tcp, ticlts
svc:/application/print/rfc1179:default bind_addr [null], localhost
Copyright © 2009 Sun Microsystems, Inc. 26
Password and Related Controls
•Pluggable Crypt>SHA-256, SHA-512, Sun MD5 (+ rounds), BSD MD5, Blowfish
•Password Complexity Checks>Login Name != Password, White Space Permitted
>Minimum Characters by Class!Alphabetic, Non-Alphabetic, Uppercase, Lowercase, Digits, Special
>Maximum Consecutive Repeating Characters
>Local Banned Password List (Dictionary)
•Password Aging and History
•Account Lockout
Copyright © 2009 Sun Microsystems, Inc. 27
Pluggable Crypt Example
# grep "^CRYPT_DEFAULT=" /etc/security/policy.confCRYPT_DEFAULT=md5
# grep "^md5" /etc/security/crypt.confmd5 crypt_sunmd5.so.1 rounds=8000
# grep "^root" /etc/shadowroot:$md5,rounds=8000$kS9FT1JC$$mnUrRO618lLah5iazwJ9m1:13776::::::
$ john ./mypasswdNo password hashes loaded
$ Crack ./mypasswd$ Reporter | grep -w rootE:1190747899:StoreDataHook: invalid ciphertext: root $md5,rounds=8000$kS9FT1JC$$mnUsRO618lLah5iazwJ9m1
Copyright © 2009 Sun Microsystems, Inc. 28
Password Management Example
$ passwd gbrunettEnter existing login password:New Password:passwd: The password must contain at least 1 numericor special character(s).
Please try againNew Password:passwd: The password must contain at least 1 uppercasealpha character(s).
Please try againNew Password:passwd: Too many consecutively repeating characters.Maximum allowed is 3.Permission denied
$ passwd gbrunettEnter existing login password:New Password:passwd: Password in history list.
Copyright © 2009 Sun Microsystems, Inc. 29
pam_list
•Limit system access based on users and netgroups.>“allow” and “deny” lists are maintained in separate local files.
>Configurable matching policy based upon specific requirements.
• Example: Only non-role administrators can login to the system: login account requisite pam_roles.so.1login account requisite pam_list.so.1 allow=/etc/local/adminslogin account required pam_unix_account.so.1
• Example: Ban specific users from the system (all methods): other account requisite pam_roles.so.1other account required pam_unix_account.so.1other account required pam_list.so.1
deny=/etc/local/banned nohost
Copyright © 2009 Sun Microsystems, Inc. 30
User Rights Management (Roles)
• Solaris Users versus Roles>Roles can only be accessed by users already logged in.
>Users cannot assume a role unless authorized.
$ id -auid=80(webservd) gid=80(webservd)
$ rolesNo roles
$ su - rootPassword:Roles can only be assumed by authorized userssu: Sorry
Copyright © 2009 Sun Microsystems, Inc. 31
webservd Role Access Attempt
• Attempt to remotely access webservd role.$ ssh -l webservd websvcPassword: Password: Password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
SYSLOG Reports:
Sep 21 14:20:26 websvc sshd[2516]: [ID 800047 auth.notice] Failed keyboard-interactive for webservd from 192.168.1.110 port 57848 ssh2
Solaris Audit Reports:
header,79,2,login - ssh,,localhost,2007-09-21 14:20:27.187 -04:00subject,-1,-1,-1,-1,-1,2516,628487479,15928 71168 192.168.1.110return,failure,Authentication failedzone,websvc
Copyright © 2009 Sun Microsystems, Inc. 32
User Rights Management (Rights)
Copyright © 2009 Sun Microsystems, Inc. 33
User Rights Management Example #1
$ profiles -l
Object Access Management:
/usr/bin/chgrp privs=file_chown /usr/bin/chmod privs=file_owner [...]
[...]
$ ls -ld mntdrwxr-xr-x 2 gbrunett gbrunett 512 Nov 7 12:54 mnt
$ chown bin:bin mntchown: mnt: Not owner
$ pfexec chown bin:bin mnt
$ ls -ld mntdrwxr-xr-x 2 bin bin 512 Nov 7 12:54 mnt
Copyright © 2009 Sun Microsystems, Inc. 34
User Rights Management Example #2
# svcprop -p httpd -p general apache2general/enabled boolean falsegeneral/action_authorization astring sunw.apache.opergeneral/entity_stability astring Evolvinghttpd/ssl boolean falsehttpd/stability astring Evolving
# auths webopersunw.apache.oper
# profiles -l weboper
Apache Operator: /usr/sbin/svcadm /usr/bin/svcs
Copyright © 2009 Sun Microsystems, Inc. 35
User Rights Management Example #3
$ svcs -o state,ctid,fmri apache2STATE CTID FMRIonline 91050 svc:/network/http:apache2
$ svcadm restart apache2
$ svcs -o state,ctid,fmri apache2STATE CTID FMRIonline 91064 svc:/network/http:apache2
$ lsls: not found
$ echo *local.cshrc local.login local.profile
Copyright © 2009 Sun Microsystems, Inc. 36
Process Privileges
!Solaris kernel checks for privileges and not just UID == 0!>Division of root authority into over 60 discrete privileges.
>Privileges can be granted to processes based on need.
>Privileges can be disabled or dropped when not needed.
>Child processes can have different (fewer) privileges than the parent.
•Completely backward compatible and extensible.>No changes required to use existing code.
•Privilege bracketing helps to mitigate effects of future flaws.>e.g., proc_fork and proc_exec
>e.g., proc_info
Copyright © 2009 Sun Microsystems, Inc. 37
Process Privilege Sets
Effective
Permitted Inheritable
Limit
•E - Effective>Privileges in effect
•P - Permitted set>Upper bound of E
•I - Inheritable set>Privileges of executed programs
•L - Limit set>Upper bound for the process and all its descendants
Copyright © 2009 Sun Microsystems, Inc. 38
•Limit (L) is unchanged
•L is used to bound privileges in Inheritable (I)>I' = I ! L
•Child's Permitted (P') & Effective (E') are:>P' = E' = I'
•Typical process>P = E = I = {basic}
>L = {all privileges}
>Since P = E = I, children run with same privileges
Process Privilege Inheritance
Copyright © 2009 Sun Microsystems, Inc. 39
•“basic” privileges>file_link_any, proc_exec, proc_fork,proc_info, proc_session
•“all” privileges>includes “basic” + over 60 administrative privileges>dtrace_kernel, file_dac_write, net_privaddr,proc_priocntl, sys_net_config, etc.
•“zone” privileges>the set of privileges available to a Solaris zone.
•Trusted Extensions privileges>privileges specific for use when TX is enabled.
Process Privileges
Copyright © 2009 Sun Microsystems, Inc. 40
•root owns all configuration/system files>UID 0 is therefore still very powerful
•Privilege escalation prevention>Require ALL privs to modify objects owned by root when euid " 0
>Fine tuning in certain policy routines
>Not all privileges, only nosuid mounts
•Prefer services be non-UID 0 + privileges>Additive approach is safer than UID 0 – privileges
Root Account Still Special
Copyright © 2009 Sun Microsystems, Inc. 41
Using Process Privileges
•ppriv(1)
# ppriv -e -D -s -proc_fork,-proc_exec /bin/sh -c fingersh[387]: missing privilege "proc_fork" (euid = 0, syscall = 143) needed at cfork+0x18/bin/sh: permission denied
•User Rights Management (RBAC)
# grep “Network Management” /etc/security/exec_attrNetwork Management:solaris:cmd:::/sbin/ifconfig:privs=sys_net_configNetwork Management:solaris:cmd:::/sbin/route:privs=sys_net_config
•Service Management Framework (SMF)
# svcprop -p start rpc/bind | grep privilegesstart/privileges astring basic,file_chown,file_chown_self,file_owner,net_privaddr,proc_setid,sys_nfs,net_bindmlpstop/limit_privileges astring :default
•Privilege Aware Commands / Services• e.g., ping, rmformat, quota, rpcbind, nfsd, mountd
Copyright © 2009 Sun Microsystems, Inc. 42
Process Privileges Example #1
$ ppriv $$ $ ppriv -l basic28983: bash file_link_anyflags = <none> proc_exec E: basic proc_fork I: basic proc_info P: basic proc_session L: all
$ ppriv -De cat /etc/shadowcat[3988]: missing privilege "file_dac_read" (euid = 101, syscall = 225) needed at ufs_iaccess+0xc9cat: cannot open /etc/shadow
$ ppriv -s -proc_fork,-proc_exec -De /bin/vi[attempt to run a command/escape to a shell]vi[4180]: missing privilege "proc_fork" (euid = 101,syscall = 143) needed at cfork+0x3b
Copyright © 2009 Sun Microsystems, Inc. 43
Process Privileges Example #2
# ppriv -S `pgrep rpcbind`933: /usr/sbin/rpcbindflags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none
# ppriv -S `pgrep statd`5139: /usr/lib/nfs/statdflags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none
Copyright © 2009 Sun Microsystems, Inc. 44
Process Privileges Example #3usr/src/lib/print/libpapi-lpd/common/lpd-port.c
#ifdef PRIV_ALLSETSif ((priv_set(PRIV_ON, PRIV_EFFECTIVE,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");return (-1);
}#else
seteuid(0);#endif
/* open the sequence file */if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);
syslog(LOG_DEBUG, "sequence file fd: %d", fd);
#ifdef PRIV_ALLSETS/* drop file access privilege */priv_set(PRIV_OFF, PRIV_PERMITTED,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);#else
seteuid(getuid());#endif
Copyright © 2009 Sun Microsystems, Inc. 45
#ifdef PRIV_ALLSETSif ((priv_set(PRIV_ON, PRIV_EFFECTIVE,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");return (-1);
}#else
seteuid(0);#endif
/* open the sequence file */if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);
syslog(LOG_DEBUG, "sequence file fd: %d", fd);
#ifdef PRIV_ALLSETS/* drop file access privilege */priv_set(PRIV_OFF, PRIV_PERMITTED,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);#else
seteuid(getuid());#endif
Turn Required Privileges On
Process Privileges Example #3usr/src/lib/print/libpapi-lpd/common/lpd-port.c
Copyright © 2009 Sun Microsystems, Inc. 46
#ifdef PRIV_ALLSETSif ((priv_set(PRIV_ON, PRIV_EFFECTIVE,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");return (-1);
}#else
seteuid(0);#endif
/* open the sequence file */if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);
syslog(LOG_DEBUG, "sequence file fd: %d", fd);
#ifdef PRIV_ALLSETS/* drop file access privilege */priv_set(PRIV_OFF, PRIV_PERMITTED,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);#else
seteuid(getuid());#endif
Turn Required Privileges On
Perform the Privileged Operation(s)
Process Privileges Example #3usr/src/lib/print/libpapi-lpd/common/lpd-port.c
Copyright © 2009 Sun Microsystems, Inc. 47
#ifdef PRIV_ALLSETSif ((priv_set(PRIV_ON, PRIV_EFFECTIVE,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");return (-1);
}#else
seteuid(0);#endif
/* open the sequence file */if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);
syslog(LOG_DEBUG, "sequence file fd: %d", fd);
#ifdef PRIV_ALLSETS/* drop file access privilege */priv_set(PRIV_OFF, PRIV_PERMITTED,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);#else
seteuid(getuid());#endif
Turn Required Privileges On
Perform the Privileged Operation(s)
Turn Required Privileges Off
Process Privileges Example #3usr/src/lib/print/libpapi-lpd/common/lpd-port.c
Copyright © 2009 Sun Microsystems, Inc. 48
Process Privilege Debugging
web_svc zone: # svcadm disable apache2
global zone: # privdebug -v -f -n httpd
web_svc zone: # svcadm enable apache2
global zone: [output of privdebug command]
STAT TIMESTAMP PPID PID PRIV CMDUSED 273414882013890 4642 4647 net_privaddr httpdUSED 273415726182812 4642 4647 proc_fork httpdUSED 273416683669622 1 4648 proc_fork httpdUSED 273416689205882 1 4648 proc_fork httpdUSED 273416694002223 1 4648 proc_fork httpdUSED 273416698814788 1 4648 proc_fork httpdUSED 273416703377226 1 4648 proc_fork httpd
privdebug is available from the OpenSolaris Security Community, http://www.opensolaris.org/os/community/security/projects/privdebug/
Copyright © 2009 Sun Microsystems, Inc. 49
Zones
!Zones are virtualized application environments.>No direct access to hardware.
!Zones have security boundaries around them.
•Zones have their own:>root directory, naming service configuration, process containment,resource controls, devices, etc.
•Zones communicate via network only (default).>shared vs. exclusive IP
•Zones operate with fewer privileges (default).>some privileges can be added or removed
Copyright © 2009 Sun Microsystems, Inc. 50
Why run services in Zones?
!Restricted Operations for Enhanced Security!Individual Solaris OS hardening and RBAC configurations.!Prohibited from directly accessing the kernel or raw memory.!Prohibited from manipulating network interfaces* and kernel modules.
!Enforcement with Integrity!Configurable privileges, sparse root zones, IP Instances, IP Filter, etc.
!Resource Control and Management!CPU, Memory, Disk, Networking, Devices, etc.
!Observability with Integrity>BART, Solaris Auditing, etc.
•
*: Applies to shared IP configurations only.
Copyright © 2009 Sun Microsystems, Inc. 51
Zones Security – System Calls
•Permitted System Calls:>chmod(2), chroot(2), chown(2), and setuid(2), etc.
•Prohibited System Calls:>memcntl(2), mknod(2), stime(2), and pset_create(2), etc.
•Limited System Calls:>kill(2), etc.
Copyright © 2009 Sun Microsystems, Inc. 52
Zones Security – Devices
•/dev Permitted System Calls:>chmod(2), chown(2), and chgrp(1)
•/dev Prohibited System Calls:>rename(2), unlink(2), symlink(2), link(2), creat(2), and mknod(2)
•Forced nodevices mount option>Prevents import of malicious device files from NFS and otherforeign sources.
•Security audit performed on all drivers included indefault zone configuration.
Copyright © 2009 Sun Microsystems, Inc. 53
•Mandatory privileges>Privileges required by a non-global zone.>proc_fork, proc_exec, proc_mount, ...
•Restricted privileges>Privileges prohibited from use in a non-global zone.>dtrace_kernel, sys_config, sys_net_config, ...
•Optional privileges>Privileges that can be added to a non-global zone.>dtrace_user, proc_lock_memory, sys_time, ...
•Other default privileges can be taken away!
Zones Security – Privileges
Copyright © 2009 Sun Microsystems, Inc. 54
Zones Example #1
# modload autofsInsufficient privileges to load a module
# modunload -i 101Insufficient privileges to unload a module
# snoopsnoop: No network interface devices found
# mdb -kmdb: failed to open /dev/ksyms: No such file or directory
# dtrace -l ID PROVIDER MODULE FUNCTION NAME
# ppriv -D -e route add net default 10.1.2.3route[4676]: missing privilege "sys_net_config"(euid = 0, syscall = 4) needed at ip_rts_request+0x138add net default: gateway 10.1.2.3: insufficient privileges
Copyright © 2009 Sun Microsystems, Inc. 55
Zones Example #2
# mount -p/ - / zfs - no rw,devices,setuid,exec,atime/dev - /dev lofs - no zonedevfs/lib - /lib lofs - no ro,nodevices,nosub/platform - /platform lofs - no ro,nodevices,nosub/sbin - /sbin lofs - no ro,nodevices,nosub/usr - /usr lofs - no ro,nodevices,nosub[...]
# mv /usr/bin/login /usr/bin/login.foomv: cannot rename /usr/bin/login to /usr/bin/login.foo: Read-only file system
Copyright © 2009 Sun Microsystems, Inc. 56
Zones Example #3
# zonecfg -z myzone info limitprivlimitpriv: default,sys_time
# zlogin myzone ppriv -l zone | grep sys_timesys_time
# zlogin myzone svcs -v ntpSTATE NSTATE STIME CTID FMRIonline - 10:17:58 214 svc:/network/ntp:default
# zlogin myzone ntpq -c peers remote refid st t when poll reach [...]================================================[...]*blackhole 129.146.228.54 3 u 48 64 77 [...]
# ssh blackhole date ; date ; zlogin myzone dateThu Jun 15 10:25:25 EDT 2006Thu Jun 15 10:25:25 EDT 2006Thu Jun 15 10:25:25 EDT 2006
Copyright © 2009 Sun Microsystems, Inc. 57
Virtualization / Compartmentalization
Dynamic SystemDomains
Solaris Containers (Zones + SRM)
Solaris Trusted Extensions
Solaris Containers for Linux Applications
Solaris ResourceManager
(SRM)
Logical Domains
Xen
VMware
Microsoft Virtual Server
Hard Partitions Virtual Machines OS Virtualization Resource Management
Server
OS
App
Multiple OSs Single OS
CalendarServer
DatabaseWeb
ServerSunRayServer
AppServer
DatabaseMail
ServerWeb
ServerFile
ServerIdentityServer
AppServer
Database
Trend to flexibility Trend to isolationTrend to flexibility Trend to isolation
Copyright © 2009 Sun Microsystems, Inc. 58
ZFS Data Integrity
•Everything is “copy on write”>Never overwrites live data>On disk state is always valid
>No need to fsck(1M)
•Everything is transactional>Related changes succeed or fail as a whole
>No need for journaling
•Everything is validated with a 256-bit checksum>No silent data corruption
>No panics due to corrupted meta-data
>“Bad data” can be healed using mirrored copies
Copyright © 2009 Sun Microsystems, Inc. 59
ZFS Data Security
•NFSv4 / NTFS-style Access Control Lists>Granular access can be allowed/denied (w/inheritance)
•Authentication with Cryptographic Checksums>Selectable 256-bit checksum algorithms, including SHA-256
>Uber-checksum provides check for the entire ZFS pool
•File system Snapshots>Read-only version of a file system at a specific point in time.
•File system Quotas and Reservations>Set maximum (quota) or minimum (reservation) usage limits.
>Can set quota limit on current content or all referenced content, e.g., snapshots (quota vs. refquota)
Copyright © 2009 Sun Microsystems, Inc. 60
ZFS Example #1
$ touch testfile
$ chmod 600 testfile$ chmod A+user:gmb:read_data:allow testfile
$ ls -l testfile-rw-------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile
$ ls -v testfile-rw-------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile 0:user:gmb:read_data:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/ write_attributes/write_acl/write_owner:allow 3:group@:read_data/write_data/append_data/execute:deny 4:group@::allow 5:everyone@:read_data/write_data/append_data/write_xattr/ execute/write_attributes/write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/ synchronize:allow
Copyright © 2009 Sun Microsystems, Inc. 61
ZFS Example #2
$ touch test-xattr
$ runat test-xattr cp /etc/motd .
$ runat test-xattr lsmotd
$ touch test-no-xattr
$ chmod A+user:gbrunett:write_xattr:deny test-no-xattr
$ runat test-no-xattr cp /etc/motd .runat: cannot open attribute directory for test-no-xattr: Permission denied
Copyright © 2009 Sun Microsystems, Inc. 62
ZFS Example #3
$ profiles[...]ZFS File System Management[...]Basic Solaris UserAll
$ pfexec zfs set quota=4g laptop/ws
$ pfexec zfs list -o name,mountpoint,quotaNAME MOUNTPOINT QUOTAlaptop /laptop nonelaptop/briefcase /laptop/briefcase nonelaptop/ws /laptop/ws 4G
Copyright © 2009 Sun Microsystems, Inc. 63
ZFS Delegated Administration
•Grant or revoke specific rights to ZFS pools and volumes.>create, destroy, clone, snapshot, mount, etc.
•Set specific properties on ZFS pools and volumes.>mountpoint, sharenfs, compression, setuid, etc.
•Assignments can be made to both users and groups.>assigned rights can optionally be granted to other users and groups.
Copyright © 2009 Sun Microsystems, Inc. 64
ZFS Example #4
$ iduid=102(gmb) gid=102(gmb)
$ zfs list -r pool/home/gmbNAME USED AVAIL REFER MOUNTPOINTpool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmb
$ zfs allow pool/home/gmb$ zfs snapshot pool/home/gmb@backupcannot create snapshot 'pool/home/gmb@backup': permission denied
$ pfexec zfs allow gmb snapshot,mount pool/home/gmb$ zfs allow pool/home/gmb -------------------------------------------------------------Local+Descendent permissions on (pool/home/gmb) user gmb mount,snapshot-------------------------------------------------------------$ zfs snapshot pool/home/gmb@backup$ zfs list -r pool/home/gmbNAME USED AVAIL REFER MOUNTPOINTpool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmbpool/home/gmb@backup 0 - 19.5K -
Copyright © 2009 Sun Microsystems, Inc. 65
ZFS Command History
$ pfexec zpool history -l
History for 'pool':
2008-10-09.15:55:12 zpool create pool c0d1[user gmb on myhost:global]
2008-10-17.13:46:48 zfs create pool/tmp[user gmb on myhost:global]
2008-10-17.13:49:46 zfs recv -F -d pool[user gmb on myhost:global]
2008-10-17.13:51:38 zfs destroy pool/bin@2008-10-17-001[user gmb on myhost:global]
2008-10-17.13:51:38 zfs destroy pool/etc@2008-10-17-001[user gmb on myhost:global]
Copyright © 2009 Sun Microsystems, Inc. 66
Cryptographic Framework
!Standards-based, pluggable framework>Kernel support as well as user-land (PKCS#11)
>Supports administrative policies (e.g., FIPS 140 algorithms only)
!By default, supports major algorithms.>Encryption : AES, ECC, Blowfish, RC4, DES, 3DES, RSA
>Digest : MD5, SHA-1, SHA-256, SHA-384, SHA-512
>MAC : DES MAC, MD5 HMAC, SHA-1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC
>Optimized for both SPARC, Intel and AMD
•Framework supports pluggable hardware/software providers:>e.g., UltraSPARC T1/T2 and the Sun CryptoAccelerator 6000
Copyright © 2009 Sun Microsystems, Inc. 67
Cryptographic Framework
• Now the framework for • cryptography is standardized• and extensible.
•• Your current cryptographic • choices and any future • technology can easily plug in • and just work.
•!Standards-based framework
•Same API, software or hardware
•Extensible for future technologies
Open SourceWeb Server
Sun JavaWeb Server
Java VMApplication
OpenSSLNSS JavaEnterprise
System
JCE JavaCrypto.
Extensions
Consumer Interface (PKCS 11)
Cryptographic Framework
Sun SoftwareCrypto. Plug-in
(DES, 3DES, AES, Blowfish, RSA,MD5, SHA_, RC4)
Provider Interface (PKCS 11)
Commercial App PKCS 11
HardwareAccelerator
UltraSPARC T1UltraSPARC T2
HardwareCrypto.
Accelerator6000
Copyright © 2009 Sun Microsystems, Inc. 68
T2/Solaris Cryptographic Architecture
•Access to T2 accelerators is controlled by Solaris CF
•Userland access is via PKCS#11>Simple to modify applications to use PKCS#11 (if not used already)
>Can interface via OpenSSL
>Offload from Java (JCE)
•Kernel modules communicate directly with the kernel crypto framework>e.g. KSSL, IPsec
Copyright © 2009 Sun Microsystems, Inc. 69
UltraSPARC T2 Processor Performance
•Outperforms competing processors by up to 10X> With significant core idle time that can be used for other processing
•Outperforms accelerator cards by a wide margin
•On-chip accelerators are more versatile than off-chip solutions>Cost effective to off-load even small packets with UltraSPARC T2 processor
Cipher 2.2GHz dual-core Opteron 2.7GHz quad-core Clovertown 1.4GHz UltraSPARC T2
RSA1024 2.3K Ops/sec 4.8 K Ops/sec 37.0K Ops/sec
AES-128 1.6 Gb/sec 4.2 Gb/s 44.0 Gb/sec
Cipher Sun SCA6000 Cavium Nitrox PX 1.4GHz UltraSPARC T2
RSA1024 13K Ops/sec 12K Ops/sec 37K Ops/sec
AES-128 1.0Gb/sec 2.5Gb/sec 44Gb/sec
Competitive Cryptographic Performance
Copyright © 2009 Sun Microsystems, Inc. 70
Kerberos
!MIT Kerberos v1.4 Code-base Refresh
!Kerberos Ticket / Credentials Auto-Renewal
!Kerberos LDAP Backend
!KDC Incremental Propagation
!kclient Auto-configuration Tool
!pam_krb5_migrate KDC Auto-population Tool
!TCP and IPv6 Support
!AES-128, AES-256, 3DES, RC4-HMAC Support
!SPNego – GSS-API Dynamic Security Negotiation
!Bundled Remote Applications (Clients & Servers)
>telnet, ftp, rlogin, rsh, rcp, rdist, Secure Shell, Mozilla and Apache
•Public Kerberos Developer APIs
Copyright © 2009 Sun Microsystems, Inc. 71
Secure Shell
!GSS-API Support
!OpenSSL Engine (optional HW Accel.) Support
!Enhanced Password Aging Support
!Keyboard “Break” Sequence Support
!X11 Forwarding “on” by default
!RC4, AES CTR mode Encryption Support
!/etc/default/login Synchronization
!SSH2 Rekeying
!Server Side Keepalives
Copyright © 2009 Sun Microsystems, Inc. 72
IPsec / IKE
!Uses the Solaris Cryptographic Framework for IPsec and IKE
!NAT-Traversal (RFC 394[78]) Support
!Full Tunnel Mode Support
!AES Cipher Support for IPsec and IKE
!Diffie-Hellman modp Groups: 1024, 1536, 2048, 3072, 4096
!HMAC-SHA2 (SHA-256, SHA-384, SHA-512) for IPsec/IKE
!PKCS#11 locked RSA private keys w/on-disk PIN
!Sun Cluster 3.2 (Clustered IPsec SAs) Support
Copyright © 2009 Sun Microsystems, Inc. 73
IP Filter
!Stateful and stateless packet inspection – IPv4, IPv6
!Kernel-based packet filtering
!Protocol proxies (TCP, UDP, FTP, rcmds, etc.)
!Transparent proxy support
!Text-based configuration
!Support for both NAT and PAT
!SYSLOG Logging
!Lightweight, small footprint, high performance
Copyright © 2009 Sun Microsystems, Inc. 74
IP Filter Example
pass out quick all keep state keep frags
# Drop all NETBIOS traffic but don't log it.block in quick from any to any port = 137 #netbios-nsblock in quick from any to any port = 138 #netbios-dgmblock in quick from any to any port = 139 #netbios-ssn
# Allow incoming IKE/IPsecpass in quick proto udp from any to any port = ikepass in quick proto udp from any to any port = 4500pass in proto esp from any to any
# Allow pingpass in quick proto icmp from any to any icmp-type echo
# Allow routing infopass in quick proto udp from any to port = routepass in quick proto icmp from any to any icmp-type 9 # routeradvertpass in quick proto igmp from any to any
# Block and log everything else that comes inblock in log allblock in from any to 255.255.255.255block in from any to 127.0.0.1/32
Copyright © 2009 Sun Microsystems, Inc. 75
TCP Wrappers
!Supports both tcpd and libwrap and integrated with:>ssh and sendmail (automatically)
>rpcbind (optionally)
•$ svcprop -p config rpc/bind | grep wrappersconfig/enable_tcpwrappers boolean false
>inetd-services (optionally, globally or per-service)
•$ svcprop -p defaults inetd | grep wrappersdefaults/tcp_wrappers boolean false
•$ inetadm -l telnet | grep wrappersdefault tcp_wrappers=FALSE
!Configured using /etc/hosts.{allow, deny} and logs to syslog:•Nov 10 15:18:03 blackhole sshd[17568]: [ID 947420 auth.warning] refused connect from 192.168.1.136
Copyright © 2009 Sun Microsystems, Inc. 76
Basic Audit and Reporting Tool
• File-level integrity validation tool:>Evalutes: uid, gid, permissions/acls, contents, mtime, size, type, etc.
>Enables point-in-time comparison against a previous snapshot.
# cat ./rules/etcCHECK all
# find /etc | bart create -I > newManifest
# bart compare -r ./rules ./oldManifest ./newManifest/etc/user_attr:size control:28268 test:23520acl control:user::rw-,group::rw-,mask:r-x,other:r-- test:user::rw-,group::rw-,mask:r-x,other:rw- contents control:28dd3a3af2fcc103f422993de5b162f3
test:28893a3af2fcc103f422993de5b162f3For more information on BART, see the Sun BluePrint: Automating File Integrity Checks,http://www.sun.com/blueprints/0305/819-2259.pdf
Copyright © 2009 Sun Microsystems, Inc. 77
Solaris Fingerprint Database
Searchable database of MD5 fingerprints for files included in Solaris, Trusted Solaris, and bundled software.
# digest -v -a md5 /usr/lib/ssh/sshdmd5 (/usr/lib/ssh/sshd) = b94b091a2d33dd4d6481dffa784ba632
[Process fingerprint using the Solaris Fingerprint DB]
b94b091a2d33dd4d6481dffa784ba632 - (/usr/lib/ssh/sshd) – 1 match(es) * canonical-path: /usr/lib/ssh/sshd * package: SUNWsshdu * version: 11.10.0,REV=2005.01.21.15.53 * architecture: sparc * source: Solaris 10/SPARC
For more information on the Solaris Fingerprint Database, see the Sun BluePrint: Solaris FingerprintDatabase, http://www.sun.com/blueprints/0306/816-1148.pdf
Copyright © 2009 Sun Microsystems, Inc. 78
Solaris Audit
•Kernel auditing of system calls and administrative actions.>Can record events happening in any zone (from the global zone).
>Can also delegate audit configuration to local zone administrators.
>Can capture complete command line and environment.
>Records original (audit) ID as well as current credentials.
>Audit trail can be formatted as text, XML, and/or delivered via syslog.
•Example:•header,77,2,su,,tundra,2006-11-06 21:55:31.386 -08:00subject,joe,joe,other,joe,other,2444,1898931306,12114 22 marduktext,rootreturn,failure,Authentication failed
Example adapted from the Sun BluePrint: Enforcing the Two-Person Rule Via Role-based Access Control in the Solaris 10 OS, http://www.sun.com/blueprints/0805/819-3164.pdf
Copyright © 2009 Sun Microsystems, Inc. 79
Trusted Solaris History
Product Year Evaluation
SunOS MLS 1.0 1990 TCSEC Conformance(1985 Orange Book)
SunOS CMW 1.0 1992 ITSEC Certified for E3 / F-B1
Trusted Solaris 1.2 1995 ITSEC Certified for E3 / F-B1
Trusted Solaris 2.5.1 1996 ITSEC Certified for E3 / F-B1
Trusted Solaris 8 2000 Common Criteria Evaluated:CAPP, RBACPP, LSPP at EAL4+
Mandatory Access Control, Labeled Desktop, Labeled Printing, Labeled Networking, Labeled Filesystems, Device Allocation, etc.
Copyright © 2009 Sun Microsystems, Inc. 80
Solaris Trusted Extensions
•A redesign of the Trusted Solaris product using a layered architecture.
•An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects.
•A set of label-aware services which implement multilevel security.
Copyright © 2009 Sun Microsystems, Inc. 81
Extending Solaris 10 Security Features
•Process Rights Management (Privileges)>Fine-grained privileges for X windows>Rights management applied to desktop actions
•User Rights Management (RBAC)>Labels and clearances>Additional desktop policies
•Solaris Containers (Zones)>Unique Sensitivity Labels>Trusted (label-based) Networking
Copyright © 2009 Sun Microsystems, Inc. 82
Trusted Extensions in a Nutshell
•Every object has a label associated with it.>Files, windows, printers, devices, network packets,network interfaces, processes, etc.
•Accessing or sharing data is controlled by the relationships between the labels of different objects. >'Secret' objects can not see 'Top Secret' objects.>'Company Internal' can not send to 'Partner' networks.
•Administrators utilize Solaris Roles for duty separation.>Installation, System Admin., Security Admin., etc.
Copyright © 2009 Sun Microsystems, Inc. 83
What are Label-Aware Services?
•Services that are trusted to protect multi-level information according to predefined policy.
•Trusted Extensions label-aware service include:>Labeled Desktops>Labeled Printing>Labeled Networking>Labeled Filesystems>Label Configuration and Translation>System Management Tools>Device Allocation
Copyright © 2009 Sun Microsystems, Inc. 84
Labeled Desktop
Copyright © 2009 Sun Microsystems, Inc. 85
Mandatory Access Control
Copyright © 2009 Sun Microsystems, Inc. 86
Putting It All Together
• Solaris 10 Security – A Secure Foundation for Success:
>Reduced Networking Meta Cluster
>Signed Binary Execution
>Secure Service Management
>User Rights Management
>Process Rights Management
>Resource Management
>Kerberos, SSH, IPsec
>Cryptographic Framework
>Containers / Zones
>IP Filter, TCP Wrappers
>Auditing, BART
>Trusted Extensions
Copyright © 2009 Sun Microsystems, Inc. 87
But wait! There's more!
•Network Security Improvements>Kernel SSL Proxy
>IPsec/IKE NAT Traversal
>RIPv2 Protocol Support
>Packet Filtering Hooks
>Randomized TCP/UDP Ephemeral Port Selection
•Auditing Improvements>Audit Trail Noise Reduction
>Audit Event Reclassification
!New Mount Options>noexec, nodevices
Copyright © 2009 Sun Microsystems, Inc. 88
and more...
•“root” GID is now “0” (root) not “1” (other)
!ip_respond_to_timestamp now “0”.
•find(1) Support for ACLs
•“death by rm” safety
•OpenSSL libraries with a PKCS#11 engine
•Hardware RNG using Crypto Framework
•open(2) [O_NOFOLLOW], getpeerucred(3c), and many other developer enhancements...
•“Off the Record” plugin for pidgin (nee gaim)
•Sendmail support for TLS
Copyright © 2009 Sun Microsystems, Inc. 89
and more...
!NFSv4>Support for GSS_API, ACLs, etc.
!Sendmail 8.13.8>Support for rate limiting and milters, TLS, etc.
•BIND 9.3.6-P1>DNSSEC, Views, IPv6 Support
•Java 5 Security (1.5.0_17-b04)>Security tokens, better support for more security standards (SASL, OCSP, TSP), various crypto and GSS security enhancements, etc.
• ... and the list keep right on going...
Copyright © 2009 Sun Microsystems, Inc. 90
Actions...
Share your requirements, experiences, etc!
Join the OpenSolaris Security Community!
1
2
3
Enjoy the benefits of Solaris 10 Security today!
Copyright © 2009 Sun Microsystems, Inc. 91
Solaris NextTechnical Security
Deep Dive
Copyright © 2009 Sun Microsystems, Inc. 92
Solaris Next
• Kerberos Update
• Labeled IPsec
• Security Policy Administration
• ZFS Crypto
Copyright © 2009 Sun Microsystems, Inc. 93
Kerberos features
! MIT Kerberos v1.6.3 resync (with PKINIT)
> PKINIT: Public Key Initial Authentication for Kerberos
> Allow various authentication mechanisms
! kdcmgr
> Configure Kerberos server through the command line interface
> Automate server configurations
> Server status information
Copyright © 2009 Sun Microsystems, Inc. 94
Kerberos features (cont.)
! kclient v2 (configure Kerberos clients via command line interface)
> Option for joining various Kerberos servers
> Windows 2000, 2003, and 2008 servers
> MIT, Shishi, and Heimdal servers
> Setup Kerberos authentication for PAM
> Configure Kerberos client for cluster
> Support for dynamic clients (w/o keytab)
Copyright © 2009 Sun Microsystems, Inc. 95
Kerberos future projects
! MIT Kerberos v1.7 resync
> better interoperability with MS
> negotiating mechanisms (NT Lan Manager mechanism)
> follow client principal referrals in client library when obtaining initial tickets
> CIFS (Common Internet File System from MS) with Kerberos
> DCE (Distributed Computer Environment) standard
> master key rollover support
> makes it easier to change master key passwords or encryption types
> Privilege Attribute Certificate (PAC) support
Copyright © 2009 Sun Microsystems, Inc. 96
Kerberos future projects (cont.)
! Credential expiry vs. long running processes> provisions credentials for use with cron/at and long
running processes.
! PAM with PKINIT support> PAM: Pluggable Authentication Module> Will provide PKCS#11 interface for smartcard support
Copyright © 2009 Sun Microsystems, Inc. 97
Labeled Networking - Problem
• Today, trusted networking involves explicitly-labeled packets.
• Today, most explicitly-labeled networks must be physically secure.> Labels can be easily forged/injected otherwise.
• IPsec can protect packets against forgery/injection> But explicit labels are IP options outside ESP's
protection.
Copyright © 2009 Sun Microsystems, Inc. 98
Global Zone
Need-to-know
PublicInternal
Use
Solaris Kernel
Multilevel Network
SunRay Network
Intranet
Intranet
Intranet
Labeled Networking
Copyright © 2009 Sun Microsystems, Inc. 99
CIPSO problems
• Cleartext label visible on the wire in each packet
• Not protected end-to-end against modification
• Uses extra space in every packet - complicates MTU discovery
Copyright © 2009 Sun Microsystems, Inc. 100
Labeled IPsec - Solution
• Why not associate a packet's label with its IPsec cryptographic key?!?
• IKE can be either unlabeled or a single explicit label, depending on existing Trusted Networking databases.
• IPsec-protected traffic can have implicit labeling, or also implicit PLUS explicit labeling (which can be different or the same as the implicit label).
• With Labeled IPsec, the network need not be physically secure.
Copyright © 2009 Sun Microsystems, Inc. 101
Labeled IPsec
• Sensitivity label is an attribute of an IPsec Security Association (SA).
• Each SA is single-label, set by Key Management at creation.
• IPsec flow policy enforces label match.
• Label made available to applications is securely bound to traffic.
Copyright © 2009 Sun Microsystems, Inc. 102
Labeled IPsec: SADB Extensions
• PF_KEY (RFC 2367) planned for this 10 years ago
• Labels are SA properties
• Inner sensitivity label matches cleartext traffic
• Outer sensitivity label appears on wire in clear
• Outer sensitivity label may be omitted from packet> No extra space on the wire vs unlabeled IPsec!
• Outer label under control of key management daemon
Copyright © 2009 Sun Microsystems, Inc. 103
Labeled IPsec: more information
• Limited prototype is working; not yet available
• Watch:> http://www.opensolaris.org/os/project/txipsec
• Questions/comments:> [email protected]
Copyright © 2009 Sun Microsystems, Inc. 104
SMC Replacement
• Replaces aging Sun Management Console functionality related to user/account management and RBAC. Includes “Separation of Duty” features.
• Adds a GUI to administer Trusted Extensions networking features.
• Based on Gnome User Manager.
• Back end of GUI interfaces with multiple command line interfaces to do the work. CLI's will also be available for scripting, or advanced users.
• User's requiring this are sites deploying Trusted Extensions (mostly Intelligence Community)
Copyright © 2009 Sun Microsystems, Inc. 105
Encrypted Storage with ZFS
• Data Integrity> Historically considered “too expensive”
> Turns out, no it isn't
> Real world evidence shows silent corruption a reality
> Alternative is unacceptable
“To create a reliable storage system from
inherently unreliable components”
Copyright © 2009 Sun Microsystems, Inc. 106
ZFS Elevator Pitch
• Ease of Use> Combined filesystem and volume management
> Underlying storage managed as Pools which simply admin
> Two commands: zpool & zfs> zpool: manage storage pool
– aka volume management)
> zfs: manage filesystems
Copyright © 2009 Sun Microsystems, Inc. 107
Back to the Elevator Pitch
• Lets add just one word:
“To create a secured reliable
storage system from
inherently unreliable
components”
Copyright © 2009 Sun Microsystems, Inc. 108
ZFS Terminology
• Pool> Collection of disks in RAID
• Dataset> Filesystem or Emulated volume (ZVOL)
• Copy on Write> Everything in ZFS is COW & checksumed, written in
transactions. Always consistent on disk.
> (POSIX) Sync write via Intent Log (ZIL)
Copyright © 2009 Sun Microsystems, Inc. 109
High Level Requirements
• Support software only solution
> Including single disk laptop use case
• SPARC, Intel, AMD64
> Anything that OpenSolaris runs on and that ZFS has already been ported to
• Support keys & cryptographic operations in hardware:eg UltraSPARC T2
• Local key management:
> HSM, TPM, smart card, passphrase
• Remote/Centralised key management
Copyright © 2009 Sun Microsystems, Inc. 110
High Level Requirements
• Don't break Copy-On-Write semantics
• Integrate with existing ZFS admin model
> CLI & GUI
• Support existing ZFS pools
• Delegation of key management to users, virtualized & Multi Level (MLS) environments
> ability to create encrypted datasets
> Including separation of key use vs key change
Copyright © 2009 Sun Microsystems, Inc. 111
ZFS Encryption
• Set encryption policy at the ZFS data set > Most systems have only one or two pools but many (10s,
100s, 1000s,) datasets
> AES-128 and AES-256 only initially but designed to be extensible
• Encrypted iSCSI & FCoE targets via ZVOLs> No key management on Initiator
• Encrypted datasets CAN be shared using NAS: NFSv2,v3,v4 & CIFS (SMB)> No key management for NAS clients
Copyright © 2009 Sun Microsystems, Inc. 112
Doing the Encryption
• Data set encryption property set at create time
• Actual encryption key is randomly generated
> wrapped by user/admin provided key
• Avoids encrypt later problem
> Avoids old clear text due to COW
• Encryption algorithm and ZFS checksum cannot be enabled or changed later for existing dataset
> ZFS checksum forced to SHA256 rather than default for data Fletcher2
• AES CCM MAC stored with checksum in block pointer.
Copyright © 2009 Sun Microsystems, Inc. 113
Key Management
• Wrapping keys provided by user/admin> passphrase,
> Raw (or hex) key
> TPM/HSM/Smartcard (PKCS#11 accessible)
• Wrapping key inherited by child datasets
• Clones can have new encryption key> Opt in default is to share origin dataset key.
Copyright © 2009 Sun Microsystems, Inc. 114
Key Change
• Key change supported> Doesn't actually re-encrypt data
> May support this type of mode in future.
> Changes wrapping key.
• Key Change is online> Datasets must be mounted – or at least key available
> Datasets stay mounted/shared during key change
Copyright © 2009 Sun Microsystems, Inc. 115
“External” Key Management
• “Base ZFS”> Key in file, passphrase, PKCS#11 token
• API in libzfs to provide key by value or PKCS#11 object name.
• zfs(1M) scriptable interface• TPM support via PKCS#11
> Future encrypted boot may access directly using TCS API
Copyright © 2009 Sun Microsystems, Inc. 116
What is encrypted ?
Yes
• All “application” data
• POSIX layer data
> Permissions, owner etc
• Directory structure
• All ZVOL data
• All the above in a snapshot
• All the above in a clone
No
• Pool metadata> Disks, raid config, etc.
> Dataset properties
Deployment Issues• Dataset names
• Dataset user properties properties
Copyright © 2009 Sun Microsystems, Inc. 117
SSD Storage & Crypto
• ZFS can use SSD for two distinct purposes> ZIL – ZFS Intent Log
> Fast write device required
> L2ARC – Cache between memory and disk> Fast read device required
• SSD is persistent so data MUST be encrypted> ZIL is always encrypted anyway SSD case is no different> L2ARC encrypt on “evict” to cache device, in memory
checksum. Ephemeral key.
Copyright © 2009 Sun Microsystems, Inc. 118
“The Cryptography Bit”
• Data encrypted with AES in CCM mode> Integrity of ciphertext
> ZFS Checksum (SHA256) not “keyed” -> for data verification and reconstructions.
> CCM MAC for ciphertext blocks
> ZFS has multiple block sizes: 512 bytes -> 128k
• Key wrapping also uses AES in CCM mode> Wrapped key integrity> “Correct Key” checking for free (helps key change)
Copyright © 2009 Sun Microsystems, Inc. 119
CCM Params
• Data can be 512 bytes to 128k> nonceSize = 12 (13 is CCM max: too small)
• AuthDataSize = 0
• Nonce built from blkptr / zio bookmark> Txg – 64bit non repeating transaction id for pool
– Can't easily determine which txg a write for a given dataset will happen in, A single txg can contain writes for many datasets.
> Blkid
> Object
• MACsize = 16> MAC stored in high two uint64_t of zio checksum
> Low two uint64_t store truncated SHA256 (bigendian)
Copyright © 2009 Sun Microsystems, Inc. 120
CCM For Key wrapping
• Also use CCM for wrapping the per dataset encryption key.
• CCM Params for wrapping:> Noncesize 13> Randomly generated Nonce
> Ensure it isn't already used on key change operations.
> MACsize 16
• Nonce & MAC stored with wrapped key in ZFS dataset property
Copyright © 2009 Sun Microsystems, Inc. 121
Future Key wrapping
• NIST AES Keywrap> Once it is included in PKCS#11
• May consider wrapping using RSA
• Key wrapping algorithm will be able to be changed by doing a key change operation 'zfs key -c -o keywrap=....'
• Won't require pool/dataset to be offline.
Copyright © 2009 Sun Microsystems, Inc. 122
Crypto bit for Caching
• L2ARC written to “differently” from normal IO (zio_phys_write)> Currently a “non persistent cache” - but written to
persistent media> Encryption using pool wide ephemeral key> AES_CBC not AES_CCM
> Safe enough since we have in memory checksum
> No space for MAC on disk
• L2ARC will switch to AES_CCM when it becomes “persistent” cache.
Copyright © 2009 Sun Microsystems, Inc. 123
What about all the decrypted data?
• ZFS in memory cache (ARC) contains very large amounts of decrypted data> Requires full privilege to see (/dev/kmem)
> But still a risk.
• Can control use data in the cache per dataset> Primarycache (memory): none, metadata, all> Secondarycache (SSD): none, metadata, all
• Future may have encrypted data in primarycache (ARC) as well as secondarycache (L2ARC).
Copyright © 2009 Sun Microsystems, Inc. 124
Unwrapped keys in RAM?
• In the pure software case yes the unwrapped keys are in host RAM
• May not be the case with some hardware crypto keystore/accelerator.
• Keys (and expanded schedule) only in kernel memory> kmem_alloc(9F) on OpenSolaris, not paged when
system swaps> OpenSolaris x86 suspend to RAM only (S3)> Solaris SPARC can suspend to disk
Copyright © 2009 Sun Microsystems, Inc. 125
Current Deployment Restrictions
• Initially can't boot from encrypted dataset> /var/tmp could be a separate file system
> /tmp is backed by swap
• No support initially for encrypted crash dump devices> But Swap on an encrypted ZVOL is supported
> Encrypted crash dumps could be supported but maybe better to have support independent of ZFS.
Copyright © 2009 Sun Microsystems, Inc. 126
What about when ZFS evolves
• Most storage in ZFS is via DMU layer objects
• Encryption selected per DMU object> Some objects need to be in the clear to allow pool traversal
for resilver/scrub and initial import
> 11 out of 40 in current codebase encrypted
> Encryption support is a new pool version.
• Future encryption features may version on disk format – will be upwards compatible.
• New dataset types (eg for pNFS) could have different rules to filesystem & ZVOL.
Copyright © 2009 Sun Microsystems, Inc. 127
ZFS Encryption Support Availability
• OpenSolaris project> All project code is opensource (CDDL)
> Depends on OpenSolaris Crypto Framework> Porting to other OS Platforms should be relatively easy.
> http://opensolaris.org/os/project/zfs-crypto/
• Should port to other platforms that already have ZFS relatively easy.> Nothing really OpenSolaris specific
Copyright © 2009 Sun Microsystems, Inc. 128
Solaris FutureSecurity Project
Outlines
Copyright © 2009 Sun Microsystems, Inc. 129
Solaris Future
• Stack Shadowing for SPARC
• IKE v2 - Internet Key Exchange protocol
• Kerberos
• Device Allocation
• Solaris Audit
• Read-Only Root Environments
• Validated Execution
• BART Extensions
•
Copyright © 2009 Sun Microsystems, Inc. 130
Stack Shadowing for SPARC
•Stack buffer overflows widely recognized as the leading cause of security vulnerabilities>Responsible for 45% of CERT advisories>Huge customer impact
•We can completely stop this class of attack
•Very small one-time development cost
Copyright © 2009 Sun Microsystems, Inc. 131
Stack Buffer Overflow
•On a typical processor, the stack contains>Local variables>Function arguments>Return address
Local variables
Arguments
Return address
Local variables
•Local variables may include an array used as a data buffer•Writing past the end of the buffer overwrites the return address
Low Addresses
High Addresses
Copyright © 2009 Sun Microsystems, Inc. 132
Stack Buffer Overflow - SPARC
•SPARC passes return address and arguments in registers
•Register window contents spill to stack
Local variables
Register Save Area
Local variables
•Overwriting the stack modifies registers, including return address
•SPARC still vulnerable
Low Addresses
High Addresses
Copyright © 2009 Sun Microsystems, Inc. 133
Partial Solutions
•Non-executable stacks>Default for 64-bit SPARC applications>Only stops one attack variant (code included in payload)
•Stack frame canaries>Verified upon function return>Adds run-time overhead>Can be fooled by more sophisticated attack
•Source code analysis>No tool that catches all vulnerabilities>Too much code – including code we don't control
Copyright © 2009 Sun Microsystems, Inc. 134
Stack Shadowing
•Kernel maintains shadow copy of register save area
•Part of register window fault handler>Copy after register spill>Compare before register fill
•Unique advantage of SPARC architecture>Hardware provides traps exactly when we need them
Copyright © 2009 Sun Microsystems, Inc. 135
Current Status
•Idea developed by NSA researcher>Presented to Sun as part of cooperative R&D agreement
•SPARC prototype developed in 2005 by Solaris Security>Proof of concept, but too simplistic for product
•Product-quality implementation now in progress
Copyright © 2009 Sun Microsystems, Inc. 136
Opportunity
•Complete solution to a whole class of security vulnerabilities
•Unique opportunity for SPARC and Solaris to lead the market>Very likely in future x86 processors>Much easier for SPARC – no HW change needed>Even works on existing SPARC systems
•Requires small software development effort
Copyright © 2009 Sun Microsystems, Inc. 137
IKEv2 in OpenSolaris
• Direct port of racoon2 not possible> Problem:
Both OpenSolaris and BSD (via KAME/WIDE) differ from RFC2367 in different ways
• New work-in-progress: in.ikev2d
• Design of ikev2d> MT-hot> large code-overlap from
> open-sourceable in.iked and
> racoon2's IKEv2 packet processing
Copyright © 2009 Sun Microsystems, Inc. 138
Kerberos Enhancements
! Easily configure credential renewal for the user
> reduces administrative overhead
! Kerberos as a first class account authority
> tighter coupling with our PAM framework and password utilities
• Client side multi-master support for password changes
• Integrate Solaris specific code directly to MIT source base
> helps in working towards the goal of dropping in MIT source code to Solaris
• Improve KDC (Key Distribution Center) load-balancing
> provides configurable auto load-balancing on a per-host basis
Copyright © 2009 Sun Microsystems, Inc. 139
Device Allocation
• Moves device allocation/deallocation and re-use to “standard” Solaris (had been in Trusted Solaris in the past).
• Meets Common Criteria device re-use requirements.
• Built on HAL and/or Device Kit I/Fs currently being added to OpenSolaris.
• Project ties into work with Gnome, SunRay, DeviceKit, and other teams.
• Required for Trusted Extensions users.
Copyright © 2009 Sun Microsystems, Inc. 140
User Device Access - Architecture
HALor
DeviceKit
allo
cate
deal
loca
te
list_
devi
ces
Device Allocation“Wizard”
(Simple GUI)
Device Allocation“Manager”
(Expert GUI)
User Device Access: Design Diagram
Device AllocationPreferences(Config GUI)
gnome-volume-manager,rmvolmgr, etc...
AllocationDatabase
GNOMEPreferences
Device Allocation“Agent”
(Automation)
SolarisKernel
SunRayServer
libdevalloc
pseudo devpermission
Unix /devpermission
devfsadm
Device Allocation SMF(deallocate at boot)
Boomer
Desktop Team
SunRay Team
deva
lloca
dm
zone_enter
Boomer Team
Device Team
Security Team
Window SystemEvents
Nautilus
D-Bus System
Session
NautilusMessageForwarder
PolicyEngine
Copyright © 2009 Sun Microsystems, Inc. 141
Solaris Audit
• Audit data is produced by the kernel and user program. The Administrator configures the system to record only the event classes he's interested in.
• Data written to the audit “trail” is available for forensic analysis. Can also be used (via 3rd party) for Intrustion Detection.
• Audit is required by Common Criteria, US Government, Financial Services customers, and most Enterprise-size deployments of Solaris
Copyright © 2009 Sun Microsystems, Inc. 142
Solaris Audit continued
• On-going projects include:> Always-On – a project to enable Auditing without
requiring a reboot of the OS. Multiple issues related to performance are being addressed.
> Secure Remote Audit Trail – a project to securely move audit records to a remote host. A second phase will allow for Solaris to be the remote host, but initially partnering with Kinamik for consolidation.
Copyright © 2009 Sun Microsystems, Inc. 143
• Boots from Read-Only Image> ZFS filesystem with readonly=on> ZFS snapshot
• System executes with unmodifiable root> Some applications/services changed to maintain state
in volatile storage> device node creation
> logadm
> account locking
Read-Only Root Environments
Copyright © 2009 Sun Microsystems, Inc. 144
Validated Execution: Signed Execution
• Executables are Signed> Embedded Signatures: elfsign(1) *> Signed Manifests of Objects> Manifests from Vendors or Locally Created
• Validation of object integrity before execution use> Kernel modules validated on load> Programs and libraries: upcall to validation daemon> Executed scripts are subject to validation
* support for elfsign may be removed
Copyright © 2009 Sun Microsystems, Inc. 145
ValEx: Signed Execution (cont.)
• Restrictions on use of unvalidated objects> unvalidated_privilege_cap
• Configuration controls which certificates are trusted for object validation
Copyright © 2009 Sun Microsystems, Inc. 146
ValEx: unvalidated_privilege_cap
• Specifies maximum privileges of a process using unvalidated objects> svccfg -s signex setprop
application/unvalidate_privilege_cap = value
• Can deny use altogether of unvalidated objects> setprop application/unvalidate_privilege_cap = noexec
• Privilege limit reduced for use of unvalidated objects> L = L & upc
• Privileged programs restricted from use of unvalidated objects> if ((P & ~upc) != empty)
> errno = ENOTSIGNED; /* Object lacks valid signature */
Copyright © 2009 Sun Microsystems, Inc. 147
ValEx: use_global_settings
• svccfg -s signex setprop application/use_global_settings = boolean
• In global zone, force all local zones to inherit signex configuration
• In local zone, configure this zone to inherit global validity determination
Copyright © 2009 Sun Microsystems, Inc. 148
ValEx: Administrator, Trust Anchors
• signexadm set-administrator <token> <certificate>
> Token specifies location of administrator's private key> Can specify certificate by DN, CN, or file
• signexadm install-anchor <certificate>
> Can specify certificate by DN, CN, or file> Action requires signing by administrator> Proxies trust between administrator and software vendor
Copyright © 2009 Sun Microsystems, Inc. 149
ValEx: Manifests
• signexadm install-manifest <file>
> Makes manifest available for validation> Not a trust operation
> Only need write access to manifest directory
• signexadm install-revocation <file>
> Special form of manifest rescinding signature on specific objects
> Not a trust operation> Only need write access to revocation directory
Copyright © 2009 Sun Microsystems, Inc. 150
Bart
• Creates, stores, and can then compare the state of files in specified portions of the filesystems based on user-specified attributes.
• Uses cryptographic hashs to detect changes in content.
• Used by IT departments to verify/track/audit server contents. Used to track malicious changes in the filesystems.
• Outputs in either human readable, or machine readable format suitable for post processing.
• See Validated Execution project for more details
Copyright © 2009 Sun Microsystems, Inc. 151
Bart Extensions
• XML-format manifests> Extensibile format> Support for content hashes beyond MD5> Updated command can create and consume legacy
format
• Manifest signatures> Standard XML signature format> sign and verify operations
• Validation against manifests
Copyright © 2009 Sun Microsystems, Inc. 152
•Center for Internet Security – Solaris 10 Benchmark>http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf
•Sun/CIS Solaris 10 Benchmark Appendix>http://www.sun.com/security/docs/s10-cis-appendix-v1.1.pdf
•You can get both documents from:>http://www.sun.com/security/docs/ Solaris10_Security_Recommendations-080130.tar.gz
For more information
Copyright © 2009 Sun Microsystems, Inc. 153
•Sun Security Home>http://www.sun.com/security
•OpenSolaris Security Community>http://www.opensolaris.org/os/community/security
•Sun Security Coordination Center>http://blogs.sun.com/security & [email protected]
•Sun Security BluePrints>http://www.sun.com/blueprints
•Sun Security Bloggers>http://blogs.sun.com
For more information
Copyright © 2009 Sun Microsystems, Inc. 154
Special thanks to the following people who contributed to this presentation:
Stephen Browne, Casper Dik, Shawn Emery, Glenn Faden, Dan McDonald, Darren Moffat, Scott Rotondo, Christoph Schuba, Anup Sekhar, Kathy Slattery, Mark Thacker, Paul Wernau, Gary Winiger, and John Zolnowsky
Acknowledgements